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AMENDMENTS TO THE CLAIMS QK TO ENTER: /L.H./ (04/27/2009) 
Amended claims follow: 

1 . (Currently Amended) A computerized method comprising: 
determining an active networked application; 

filtering a set of intrusion rules to create a subset of intrusion rules corresponding 
to the active networked application, where the subset of the intrusion rules corresponding 
to the active networked application are capable of being used for evaluating intrusions 
that target the corresponding active networked application;[[ and]] 

evaluating network traffic using the subset of intrusion rules; 

detecting when no networked application is active: and 

suspending the evaluating of network traffic until a networked application is 

active: 

wherein the subset of the intrusion rules corresponding to the active networked 
application are used for the evaluation for reducing a required amount of processing 
resources. 

2. (Original) The computerized method of claim 1 further comprising; 
detecting when the active networked application becomes inactive; and 
re-filtering the set of intrusion rules. 

3. (Currently Amended) The computerized method of claim 2, wherein the detecting 
when the active networked application becomes inactive comprises: 

monitoring network connection terminations. 

4. (Currently Amended) The computerized method of claim 2, wherein the detecting 
when the active networked application becomes inactive comprises: 

monitoring application terminations. 



5. (Cancelled) 
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6. (Currently Amended) [[The]]A computerized method [[of claim 1 .n comprisine: 
determining an active networked application: 

filtering a set of intrusion rules to create a subset of intrusion rules corresponding 
to the active networked application, where the subset of the intrusion rules corresponding 

to the active networked application are capable of being used for evaluating intrusions 

that target the corresponding active networked application: 

evaluating network traffic using the subset of intrusion rules: and 

continuing the evaluating of network traffic if no networked application is active: 

wherein the subset of the intrusion rules corresponding to the active networked 

application are used for the evaluation for reducing a required amount of processing 

resources; 

wherein the subset of rules further corresponds to an operating syste m and farther 
comprising: 

continuing tho evaluating of network traffic if no network e d application is activ e. 

7. (Original) The computerized method of claim I , wherein the determining 
comprises: 

detecting when a network connection for an active application is initiated. 

8. (Original) The computerized method of claim 1, wherein the filtering comprises: 
marking an intrusion rule corresponding to the active networked application. 

9. (Original) The computerized method of claim 1, wherein the filtering comprises: 
extracting the subset of rules into an oprimized set of rules. 

1 0. (Original) The computerized method of claim 1 , wherein the evaluating 
comprises: 

analyzing network traffic on a port specified in the subset of rules. 
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1 1 . (Original) The computerized method of claim 1 , wherein the evaluating 
comprises: 

analyzing network traffic for a protocol specified in the subset of rules. 

12. (Original) The computerized method of claim 1, wherein the evaluating 
comprises: 

discarding network traffic that satisfies at least one of the subset of rules; and 
reporting an intrusion attempt. 

1 3. (Original) The computerized method of claim 1 , wherein the set of intrusion rules 
comprises signatures of known attacks. 

14. (Original) The computerized method of claim 1 , wherein the set of intrusion rules 
comprises heuristic rules. 

1 5. (Currently Amended) A computer-readable medium having executable 
Instructions to cause a computer to perform a method comprising: 

determining an active networked application; 

filtering a set of intrusion rules to create a subset of intrusion rules corresponding 
to the active networked application, where the subset of the intrusion rules corresponding 
to the active networked application are capable of being used for evaluating intrusions 
that target the corresponding active networked application;[[ and]] 

evaluating network traffic using the subset of intrusion rules; 

detecting when no networked application is active; and 

suspending the evaluatinR of network traffic until a network application is active: 

wherein the subset of the intrusion rules corresponding to the active networked 
application are used for the evaluation for reducing a required amount of processing 
resources. 

1 6. (Original) The computer-readable medium of claim 1 5, wherein the method 
further comprises: 
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detecting when the active networked application becomes inactive; and 
re-filtering the set of intrusion rules. 

17. (Currently Amended) The computer-readable medium of claim 1 6, wherein the 
detectin g when the active networked application becomes inactive comprises: 

monitoring network connection terminations. 

1 8. (Currently Amended) The computer-readable medium of claim 1 6, wherein the 
detectin g when the active networked application becomes inactive comprises: 

monitoring application terminations. 

19. (Cancelled) 

20. (Currently Amended) [[The]]A computer-readable medium [[of claim 1 5,]]haying 
executable instructions to cause a computer to perform a method comprising: 

determining an active networked application: 

Filtering a set of intrusion rules to create a subset of intrusion rules corrcspondina 
to the active networked application, where the subset of the intrusion rules corresponding 
to the active networked application are capable of being used for evaluating intrusions 
that target the corresponding active networked application: 

evaluating network traffic using the subset of intrusion rules: and 
continuing the evaluating of network traffic if no networked application is active: 
wherein the subset of the intrusion rules corresponding to the active networked 
a pplication are used for the evaluation for reducing a required amount of processing 
resources: 

wherein the subset of rules fiuther corresponds to an operating system-and-the 
method further compris e s: 

continuing tlie evaluating of network traffic if no networked application is octivo . 

2 1 . (Original) The computer-readable medium of claim 1 5, wherein the determining 

comprises: 
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detecting when an active application initiates a network connection. 

22. (Original) The computer-readable medium of claim 1 5, wherein the filtering 
comprises: 

marking an intrusion rule corresponding to the active networked application. 

23. (Original) The computer-readable medium of claim 15, wherein the filtering 

comprises: 

extracting the subset of rules into an optimized set of rules. 

24. (Original) The computer-readable medium of claim 1 5, wherein the evaluating 
comprises: 

analyzing network traffic on a port specified in the subset of rules. 

25. (Original) The computer-readable medium of claim 1 5, wherein the evaluating 
comprises: 

analyzing network traffic for a protocol specified in the subset of rules. 

26 (Original) The computer-readable medium of claim 1 5, wherein the evaluating 

comprises: 

discarding network traffic that satisfies at least one of the subset of rules; and 

reporting an intrusion attempt. 

27. (Original) The computer-readable medium of claim 1 5, wherein the set of 
intrusion rules comprises signatures of known attacks. 

28. (Original) The computer-readable medium of claim 1 5, wherein the set of 
intrusion rules comprises heuristic rules. 

29. (Currently Amended) A system comprising: 

a processor coupled to a memory through a bus; and 
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an intrusion prevention process executed from the memory by the processor to 
cause the processor to determine an active networked application, to filter a set of 
intrusion rules to create a subset of intrusion rules corresponding to the active networked 
application, where the subset of the intrusion rules corresponding to the active networked 
application are capable of being used for evaluating intrusions that target the 
corresponding active networked application, and to evaluate network traffic using the 
subset of intrusion rules; 

wherein the subset of the intrusion rules corresponding to the active networked 
application are used for the evaluation for reducing a required amount of processing 
resources; 

wherein the intrusion prevention process fiirther causes the processor to detect 
when no networked application is active, and to suspend the evaluating of network traffic 
until a network application is active. 

30. (Original) The system of claim 29, wherein the intrusion prevention process 
further causes the processor to detect when the active networked application becomes 
inactive, and to rc-filtcr the set of intrusion rules. 

3 1 . (Original) The system of claim 30, wherein the intrusion prevention process 
further causes the processor to monitor network connection terminations in detecting 
when the active networked application becomes inactive. 

32. (Original) The system of claim 30, wherein the intrusion prevention process 
further causes the processor to monitor application terminations in detecting when the 
active networked application becomes inactive. 

33. (Cancelled) 



34. (Currently Amended) [[The]]A system [[of claim 29.]1 comprisine: 
a processor coupled to a memory through a bus: and 
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an intrusion prevention process executed from the memory by the processor to 
cause the processor to detennine an active networked application, to Filter a set of 
intrusion rules to create a subset of intrusion rules corresponding to the active networked 
a pplication, where the subset of the intrusion rules corresponding to the active networked 
application are capable of being used for evaluating intrusions that target the 
corresponding active networked application, and to evaluate network traffic using the 
subset of intmsion rules: 

wherein the subset of the intrusion rules corresponding to the active networked 
application are used for the evaluation for reducing a required amount of processing 
resources; 

wherein the intrusion prevention process further causes the processor to further 
filter the intrusion rules based on an operating system and to continue the evaluating of 
network traffic if no networked application is active. 

35. (Original) The system of claim 29, wherein the intrusion prevention process 
further causes the processor to detect when an active application initiates a network 
connection in determining an active networked application. 

36. (Original) The system of claim 29, wherein the intrusion prevention process 
further causes the processor to mark an intrusion rule corresponding to the active 
networked application in filtering the set of intrusion rules. 

37. (Original) The system of claim 29. wherein the intrusion prevention process 
further causes the processor to extract the subset of rules into an optimized set of rules in 
filtering the set of intnision rules. 

38. (Currently Amended) The system of claim 29, wherein the intrusion prevention 
process further causes the processor to analyze network traffic on a port specified in the 
subset of rules in the evaluating of the network traffic. 
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39. (Currently Amended) The system of claim 29. wherein the intrusion prevention 
process ftirther causes the processor to analyze network traffic for a protocol specified in 
the subset of rules in the evaluating of the network traific. 

40. (Original) The system of claim 29, wherein the intrusion prevention process 
further causes the processor to discard network traffic that satisfies at least one of the 
subset of rules, and to report an intrusion attempt in the evaluating of the network traffic. 

4 1 . (Original) The system of claim 29, wherein the set of intrusion rules comprises 
signatures of known attacks. 

42. (Original) The system of claim 29, wherein the set of intrusion rules comprises 
heuristic rules. 

43. (Currently Amended) An apparatus comprising: 

means for determining when an active application becomes an active networked 
application; 

means for filtering coupled to the means for determining to create a subset of 
intrusion rules corresponding to the active networked application from a set of intrusion 
rules, where the subset of the intrusion rules corresponding to die active networked 
application are capable of being used for evaluating intrusions that target the 
corresponding active networked application; and 

means for evaluating coupled to the means for filtering to evaluate network traffic 
using the subset of intrusion rules; 

wherein the subset of the intrusion rules corresponding to the active networked 
application are used for the evaluation for reducing a required amount of processing 
resources: 

wherein the means for determining fiirther detects when no networked aoolication 
is active and the means for evaluating further suspends the evaluation of network traffic 
until the means for determining determines a networked application is active . 
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44. (Original) The apparatus of claim 43, wherein the means for determining further 
detects when the active networked application becomes inactive and the means for 
filtering further re-filters the set of intrusion rules when the active networked application 
becomes inactive. 

45. (Cancelled) 

46. (Currently Amended) [[The]] An apparatus [[of claim 43.1] comprisirm 

means for determining when an active application becomes an active networked 
application; 

means for filtering coupled to the means for determininp to create a subset of 
intrusion rules corresponding to the active networked application from a set of intrusion 
rules, where the subset of the intrusion rules corresponding to the active networked 
application are capable of being used for evaluating intrusions that target the 
corresponding active networked application: and 

means for evaluating coupled to the means for filtering to evaluate network traffic 
using the subset of intrusion mlcs; 

wherein the subset of the intrusion rules corresponding to the active networked 
application are used for the evaluation for reducing a required amount of processing 
resources: 

wherein the means for filtering further filters the intrusion rules corresponding to 
an operating system and the means for evaluating continues the evaluation of network 
traffic when the means for determining determines no networked application is active. 

47. (Original) The apparatus of claim 43, wherein the means for evaluating 
comprises: 

means for discarding network traffic that satisfies at least one of the subset of 
rules; and 

means for reporting an intrusion attempt. 
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48. (Previously Presented) The computerized method of claim 1 , wherein the 
intrusion rules include information selected from the group consisting of a targeted active 
networked application, a specific hostile payload, a network port, and a protocol. 

49. (Previously Presented) The computerized method of claim 1 , wherein the 
intrusion rules include an attack signature. 

50. (Previously Presented) The computerized method of claim 1 , wherein at least one 
of the intrusion rules is a heuristic rule. 

5 1 . (Previously Presented) The computerized method of claim 50, wherein the heuristic 
rule includes information associated with an active networked application making a new 
connection never previously made. 



